Skip to main content

User Verification CVE-2026-32497

| EUVDEUVD-2026-15843 MEDIUM
Weak Authentication (CWE-1390)
2026-03-25 Patchstack
5.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

3
EUVD ID Assigned
Mar 25, 2026 - 16:47 euvd
EUVD-2026-15843
Analysis Generated
Mar 25, 2026 - 16:47 vuln.today
CVE Published
Mar 25, 2026 - 16:14 nvd
MEDIUM 5.3

DescriptionCVE.org

Weak Authentication vulnerability in PickPlugins User Verification user-verification allows Authentication Abuse.This issue affects User Verification: from n/a through <= 2.0.45.

AnalysisAI

A weak authentication vulnerability in the PickPlugins User Verification WordPress plugin (versions up to 2.0.45) allows attackers to bypass email verification mechanisms, enabling authentication abuse and unauthorized account creation or takeover. This vulnerability has been identified by Patchstack as an email verification bypass issue affecting the user verification functionality, potentially exposing sites using this plugin to account compromise and unauthorized access. The practical impact depends on how the plugin integrates with site authentication workflows, but successful exploitation could allow attackers to register accounts, access user data, or impersonate legitimate users.

Technical ContextAI

The vulnerability resides in the PickPlugins User Verification plugin (identified via CPE cpe:2.3:a:pickplugins:user_verification:*:*:*:*:*:*:*:*), which implements email verification as a gating mechanism for user authentication and account creation. The root cause is classified under CWE-1390, which relates to weak authentication mechanisms that fail to properly validate user identity. Specifically, the plugin's email verification logic contains flaws that permit attackers to circumvent the intended verification step, likely through inadequate token validation, missing CSRF protections, timing window exploitation, or insufficient entropy in verification tokens. This allows attackers to establish authenticated sessions without completing the legitimate email verification workflow that should confirm legitimate ownership of the email address.

RemediationAI

Immediately upgrade PickPlugins User Verification to a version greater than 2.0.45 (verify availability of patched version from the vendor or Patchstack advisory). If a patched version is not yet available, disable email verification in the plugin configuration as a temporary measure, or consider deactivating the plugin entirely until a fix is released. Additionally, implement application-level compensating controls such as enforcing CAPTCHA on registration, requiring manual admin approval for new accounts, and monitoring authentication logs for suspicious account creation patterns. Review recently created user accounts for suspicious activity and consider resetting passwords for any accounts created since the plugin was deployed. Subscribe to Patchstack security alerts and monitor the WordPress plugin repository for version updates.

Share

CVE-2026-32497 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy